It turns out smart TVs might be smarter than consumers ever wanted.
One concern raised by the WikiLeaks document trove published this week, which purportedly described Central Intelligence Agency tools for hacking dozens of gadgets, was that the agency could turn certain Samsung Electronics Co. televisions into spying devices. The trick: making the screen go black so the TVs appear off but are still powered on, then recording private conversations using the microphones built in to enable voice-activated features.
The WikiLeaks disclosures -- which the group said also reveal the CIA's ability to exploit products of other companies, including Apple Inc., Alphabet Inc.'s Google, and Microsoft Corp. -- have sent a chilling message to tech giants whose connected devices are increasingly becoming part of the home. Interconnected gadgets, touted to consumers for their convenience, could also introduce new ways to poach personal information.
Few firms have more at stake than Samsung, which is the world's largest maker of smartphones, televisions and memory chips and produces a wide range of other connected devices. The South Korean giant is mired in scandal at home, with de facto leader Lee Jae-yong indicted on bribery and other charges. And its mobile division is reeling from a recall last year of the Galaxy Note 7 smartphone. Samsung's next flagship device, the Galaxy S8, is due to launch later this month.
The risk for Samsung and other tech firms is that the leaks could fuel consumer concerns that slow the shift toward more connected homes. The number of connected "things" around the world, from televisions to baby monitors to thermostats, was 3.8 billion in 2014, according to Gartner Inc., with projections of 8.4 billion this year and 20.4 billion by 2020.
Many of the companies involved, including Samsung, said they believed they had already addressed many vulnerabilities with software updates but were continuing to investigate the matter.
The CIA program that allegedly hacks Samsung smart TVs was nicknamed "Weeping Angel," a reference to the frightening stone-like creatures from the British Broadcasting Corp. television series "Dr. Who" that only move when no one is looking at them. The tool was developed in June 2014 during a joint workshop with the CIA and British intelligence agencies, according to the WikiLeaks documents.
A Samsung spokesman said the WikiLeaks report described malicious software installed by "a physically connected USB drive" and affected televisions sold in 2012 and 2013. Most of those sets have received requisite software updates, he said.
"We continually monitor for any security risks across our Smart TV platforms and if we find one, we promptly address it," the spokesman said.
The leaked documents' description of the "Weeping Angel" tool appears similar to a technique that security researchers Lee Seung-Jin and Kim Seung-joo disclosed at a hacking conference in 2013 in a presentation to alert device makers and the general public to these security risks.
In both cases, the technique enabled an intruder to put the television into a "fake off" mode where the screen powered down, but the underlying computer system remained operational as long as the TV was still plugged in. The hackers could then covertly record conversations and send them back to the CIA, the WikiLeaks documents said.
It "sounds like they used our code or they invented almost the same tech as ours," Mr. Lee said in an email.
Messrs Lee and Kim said in their presentation that by manipulating the "firmware" installed on a device, they were able to leave the Samsung television running even when it was switched off by users. They programmed the system to shut off its screen and its red LED power light to appear nonoperational. The device "looks literally 'turned off' and the TV will be a best spy for you," Mr. Lee said. "After that, it can monitor you through the camera and microphone 24/7 until people pull the plug."
Samsung said at the time that consumers had a multistep process to opt in to voice recognition and that the software could be deactivated at any time. The data collection provision existed to help with internal evaluations and product improvement, the firm said.
Some cybersecurity experts said nearly any device would be vulnerable if an attacker could access it in person, rather than remotely. "If you have physical access to something, you can hack it," said Craig Young, principal security researcher at Tripwire Inc.
Still, experts say TVs are particularly vulnerable to cyberattacks, especially those with cameras and microphones, because consumers don't always think to download the new versions of software on their televisions the way they do on smartphones, which receive frequent software and security updates.
"Perhaps we pay less attention than we should because not everybody uses all of the functionality of a smart TV," said Atul Prakash, an electrical engineering and computer science professor at the University of Michigan. "It's there. But it's kind of invisible.